realm policyreferece attribute in krb5_ldap_read_realm_params()function

Savitha R rsavitha at
Thu May 22 06:15:01 EDT 2008

The current implementation does not make use of the policy reference at 
the realm object level. If you look at kdb5_ldap_util, it does not provide an 
option for you to set this attribute. The code to read the policy object in 
krb5_ldap_read_realm_params() never gets executed.

We had initially thought of supporting the policy reference at the realm level.
But later felt that it is sufficient to go with the attributes directly on the realm
object since we dont expect too many realm objects and configuring it directly 
on the realm wouldn't be an issue.


>>> On Tue, May 20, 2008 at  1:01 AM, in message
<1211225468.11251.20.camel at>, Klaus Heinrich Kiwi
<klausk at> wrote: 
> Hi,
>  looking at the krb5_ldap_read_realm_params() function (file:
> src/plugins/kdb/ldap/libkdb_ldap/ldap_realm.c), I'm trying to understand
> where does the rlparams->policyreference value comes from, since it's
> used in the conditional around line 1368.
> I was hoping to find a query to "krbTicketPolicyReference" along with
> other krbRealmContainer attributes right above this line.
>>From my initial analysis, looks like if *mask doesn't bring any of the
> LDAP_REALM_KRBTICKETFLAGS flags, the code to query those from the policy
> reference dn will always be skipped since rlparams->policyreference is
> always NULL (even if there *is* a krbTicketPolicyReference attribute in
> the Realm Container object).
> Any comments are welcome.
>  -Klaus

More information about the krbdev mailing list